{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-003.pdf"
    },
    "title": "Critical Vulnerability in Apache OFBiz",
    "serial_number": "2024-003",
    "publish_date": "09-01-2024 09:11:53",
    "description": "On December 26, 2023, the Apache OFBiz project released an update addressing a critical vulnerability in Apache OFBiz. The vulnerability allows attackers to bypass authentication, which could lead to remote code execution (RCE).<br>\n",
    "url_title": "2024-003",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Apache\u00a0OFBiz'\nnumber: '2024-003'\nversion: '1.0'\noriginal_date: 'December 26, 2023'\ndate: 'January 9, 2024'\n---\n\n_History:_\n\n* _09/01/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn December 26, 2023, the Apache OFBiz project released an update addressing a critical vulnerability in Apache OFBiz. The vulnerability allows attackers to bypass authentication, which could lead to remote code execution (RCE) [1].\n\n# Technical Details\n\nThe vulnerability, identified as **CVE-2023-51467** with a CVSS score of 9.8 [2], may allow an attacker to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF). A successful exploit may allow the attacker to perform remote code execution.\n\n# Affected Products\n\nThis vulnerability affects Apache OFBiz versions below 18.12.11 [3,4].\n\n# Recommendations\n\nIt is recommended to upgrade to version 18.21.11 as soon as possible.\n\n# References\n\n[1] <https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv>\n\n[2] <https://nvd.nist.gov/vuln/detail/CVE-2023-51467>\n\n[3] <https://issues.apache.org/jira/browse/OFBIZ-12873>\n\n[4] <https://ofbiz.apache.org/release-notes-18.12.11.html>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>09/01/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 26, 2023, the Apache OFBiz project released an update addressing a critical vulnerability in Apache OFBiz. The vulnerability allows attackers to bypass authentication, which could lead to remote code execution (RCE) [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability, identified as <strong>CVE-2023-51467</strong> with a CVSS score of 9.8 [2], may allow an attacker to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF). A successful exploit may allow the attacker to perform remote code execution.</p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability affects Apache OFBiz versions below 18.12.11 [3,4].</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to upgrade to version 18.21.11 as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv\">https://lists.apache.org/thread/9tmf9qyyhgh6m052rhz7lg9vxn390bdv</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2023-51467\">https://nvd.nist.gov/vuln/detail/CVE-2023-51467</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://issues.apache.org/jira/browse/OFBIZ-12873\">https://issues.apache.org/jira/browse/OFBIZ-12873</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://ofbiz.apache.org/release-notes-18.12.11.html\">https://ofbiz.apache.org/release-notes-18.12.11.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}